orca icon indicating copy to clipboard operation
orca copied to clipboard
verified publisher icon cee-studio

NULL Pointer in ntl_to_buf()

Open Leeziao opened this issue 1 year ago • 1 comments

The NULL Pointer vulnerability happens in ntl_to_buf(), cee-utils/ntl.c How the vulnerabilitiy happens:

  1. ntl_to_buf() is invoked with buf is NULL, the first element of p is NULL
  2. The NULL variable buf gets dereferenced at *buf = '\0';

Steps to reproduce:

  1. Compile following file (poc.c)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "ntl.h"

size_t serialize_element(char *buf, size_t size, void *element) {
    if (!element) {
        const char *null_str = "null";
        if (buf) snprintf(buf, size, "%s", null_str);
        return strlen(null_str);
    }

    int *val = (int*)element;
    return snprintf(buf, size, "%d", *val);
}

int main(void) {
    ntl_t p = ntl_calloc(3, sizeof(int));

    struct ntl_str_delimiter delim = {
        .start_delimiter = '[',
        .element_delimiter = ", ",
        .last_element_delimiter = "",
        .end_delimiter = ']',
        .null_ntl = "[]"
    };

    char *result = NULL;
    ntl_to_abuf(&result, p, &delim, serialize_element);
}
  1. Compile and Run
$ gcc poc.c -o poc -L. -lreddit
$ ./poc
zsh: segmentation fault (core dumped)  ./poc

Leeziao avatar Feb 20 '25 12:02 Leeziao